The Privileged Attribute Certificate (PAC) is an extension to Kerberos tickets that contains useful information about a user’s privileges. This information is added to Kerberos tickets by a domain controller when a user authenticates within an Active Directory domain. When users use their Kerberos tickets to authenticate to other systems, the PAC can be read and used to determine their level of privileges without reaching out to the domain controller to query for that information (more on that to follow).
PACs contain very sensitive information and therefore have been the target of several Active Directory attack techniques over the years.
The PAC became a target for privilege elevation attacks against Active Directory in 2014 when a vulnerability in the Windows PAC validation algorithm was publically disclosed. You can read about that in full detail here, but to summarize it is a vulnerability that exists in Windows Server 2012 R2 domain controllers and earlier that allows attackers to forge a PAC for any user. So that means if this is unpatched on any domain controller, an attacker can forge a PAC for any user account they’ve compromised and effectively make that user a domain admin.
This was also covered in detail at Black Hat 2015 and on Adsecurity.org here. To test this vulnerability you can use the Python Kerberos Exploitation Kit (PyKEK) or Kekeo from the author of Mimikatz Benjamin Delpy.
Golden & Silver Tickets
Golden Tickets and Silver Tickets also allow attackers to leverage forged PACs in an Active Directory attack. A golden ticket could use this to create a valid Kerberos TGT for any user in the domain, but manipulate that user’s PAC so they gain additional privileges. This could be useful for averting detection by using seemingly innocuous accounts to perform privileged activities.
Silver Tickets similarly let attackers forget PACs for TGS tickets. Silver Tickets only give attackers rights to a specific service on a specific host. Sometimes that service account may not have unlimited rights, such as compromising a SQL service account that doesn’t have system level rights to the databases hosted on that SQL server. By forging a PAC an attacker could give that account extra privileges so they can completely compromise their target.
You can see below, by default Golden and Silver Tickets give users membership using privileged RIDs such as 512 (Domain Admins) and 519 (Enterprise Admins).
One feature worth understanding if you are looking to implement security around forged PACs is PAC Validation. This is a topic that has been covered in detail in several articles such as this one on the MSDN blog. PAC Validation is a feature that can be enabled or disabled on a Windows system. When enabled, the PAC of a user authenticating to that system will be checked against Active Directory to make sure it is valid. So this is basically put in place to avoid forged PACs.
This can be enabled with the registry key ValidateKdcPacSignature found here: [HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Parameters]
Setting this to 0 will turn off PAC Validation.
While this sounds great, this is not a solution for forged PAC attacks. There are several exclusions to when PAC validation will work. If you read the referenced article above from Microsoft it explains:
“Windows OS sends the PAC validation messages to the NetLogon service of the DC when the service does not have the TCB privilege and it is not a Service Control Manager (SCM) service. The Local Security Authority Subsystem Service (LSASS) process will send PAC validation messages to the DC when the LSA client (the application server) is not running in the context of local system, network service, or local service; or it does not have SeTCBprivilege (Act as part of the operating system).”
In my testing, whether PAC validation was enabled or not, I was able to leverage Silver and Golden tickets against a target system.
Exploring User PACs
If you are interested in looking at a PAC for a user, there is a useful tool Impacket that comes with a script getPAC.py which allows you to do this. If you want to test this in Windows you should check out CommandoVM which packages up this script (and many others) as executable files so you don’t have to worry about Python dependencies.
You can see with this script you can target any user without any special privileges and return their PAC information:
There is a whole lot more than group membership in there and Microsoft has documented the entire structure here. Hopefully, this sheds some light on the importance of the PAC and how important it can be to detect and prevent Forged PAC attacks.
Learn more about how STEALTHbits addresses Windows Security with StealthAUDIT for Windows.
Jeff Warren is STEALTHbits’ General Manager, Products. Jeff has held multiple roles within the Product Management group since joining the organization in 2010, initially building STEALTHbits’ SharePoint management offerings before shifting focus to the organization’s Data Access Governance solution portfolio as a whole. Before joining STEALTHbits, Jeff was a Software Engineer at Wall Street Network, a solutions provider specializing in GIS software and custom SharePoint development.
With deep knowledge and experience in technology, product and project management, Jeff and his teams are responsible for designing and delivering STEALTHbits’ high quality, innovative solutions.
Jeff holds a Bachelor of Science degree in Information Systems from the University of Delaware.